I had the request to add some users from Azure AD as Owner of the Azure subscription, in ARM. Being feigning and not wanting to add 10 users manually, I decided to create a PowerShell script (if we ask me to do the same another time). This script is available on Technet:

With Windows Server 2016, containers are coming as a new feature in Windows Server. With the TP5, the managing of containers has changed. In fact, to manage network, you don’t need a new switch anymore, but we use the new PowerShell CmdLet New-ContainerNetwork. To add a NAT rule, you need to use the Add-ContainerNetworkAdapterStaticMapping command. So I executed this:

Because I bought an Intel NUC 6th Generation 3 weeks ago, I tried to deploy Windows Server 2016 TP5 on it. The installation works fine. I downloaded drivers from my laptop from the Intel website, for the version Windows 10 64-bits: https://downloadcenter.intel.com/product/89190

Reboot the server. Download the network card driver here and extract the file to have sources:

We will now modify the network driver. The driver is located in the folder Your_Directory\LAN_Win10_64_20.7.1\PRO1000\Winx64\NDIS65. ForWindows Server 2016 TP5, we wil lmodify the file named e1d65x64.inf. Open it and search the following lines:

Because I would like to have a VPN @ home and a VPN with Azure, we advise me to use pfSense. This distribution is very flexible and give you the possibility to connect your host/VM with PPPoE with you ISP but also, to have a performant firewall, doing VPN connections with IPSec, OpenVPN, L2TP, etc.

The idea of this article will be to create a S2S VPN with Azure RM via pfSense.

I started by connecting my pfSense VM (1vCPU, 512MB RAM), with PPPoE to my ISP. Because I have a dynamic public IP, I created an account noip.com with a DNS recording. I connected my pfSense to NOIP to update this public IP automatically in Services > Dynamic DNS:

When my VM will restart or my lease will be ended, my IP will be updated directly on my NOIP.

Azure

I will now create my VPN on Azure. Go on https://portal.azure.com and connect to your subscription. Be sure to create a virtual network, in Resource Manager:

After, you need to create your Virtual Network Gateway, by choosing the virtual network created previously, and by choosing a a subnet for the Gateway and a public IP. Choose the VPN type, with a VPN type of Route based:

After some minutes, our gateway is ready. We need to create a Local Network Gateway, that will host the public IP of the pfSense and local network where the pfSense is connected to access them:

The only problem is, that this script is for azure classic and not for Azure RM.

So I modified this script to update your dynamic public IP on Azure, to have a limited disruption of your VPN S2S with ARM. At my home, this script is executed every 5 minutes. I will do an Azure Automation version later

With Windows Server 2016 TP4, Microsoft added a new feature, Nested Hyper-V. This feature give you the possibility to do virtualization in VMs thatare running on Hyper-V.

On 27th of April, Microsoft has released the TP5 version of Windows Server 2016. Because I’m using my Azure Stack server has host, who is running on Windows Server 2016 TP4, I tried to test the Nested Hyper-V TP5 on this server. I created a Nano Server with the Hyper-V role and I created a VM WS2016TP5 on it:

I started this VM and I had the following error:

Failed to start the virtual machine ‘WS2016TP5’ because one of the Hyper-V components is not running

The problem is that if you want to run the TP5 version of Nested Hyper-V, your Hyper-V server MUST be on TP5 too. I hope I helped you

Microsoft has releasd in February the first version of the Azure Pack Connector. This plugin will give you the possibility to deploy and manage VMs in Azure, direclty from the Windows Azure Pack interface. On 5th of April, Microsoft has released the version 1.1 of the plugin. It’s with this version that I will show you how to deploy this plugin.

Connect on a server that has IIS Manager and generate a Self-Signed certificate or a enterprise certificate, via a PKI. Export this certificate through IIS and import it on each server that will host the 3 previous roles. Import it on the Current User and on the Local Machine, by including all properties and by choosing automatically the right store. After that, open the MMV and add the Certificates snapin on Local Computer. Open the private key of the certificate and add the Everyone group:

This certificate will be used for the encryption.

You must download and install features pack of SQL Server 2014, on each server where the plugin will be installed:

Shared Management Objects (SMO)

Transact-SQL ScriptDom (SQLDOM)

System CLR Types (SQLSysClrTypes)

Restart all servers. We can now start the installation of the plugin. Unzip the archive that you downloaded where the admin extension will be installed and execute the software SetupCMP.exe:

Choose to add new features:

Here, I will select the 2 following features:

CMP Server

WAP Admin Extension

Accept the license:

Choose where you want to install the software:

Give the name of the SQL Server that will store the database, with the instance name, for the CMP service:

Do the same for the WAP part:

I will use a service account to execute the CMP service. This account must be local administrator of the server. Choose the certificate that you generate at the beginning:

Here you have a resume of your installation:

The installation is done:

In IIS Manager:

In the WAP Admin Portal:

Go now on the server where the Tenant site is hosted and execute the file SetupCMP.exe. The installation is the same, except that you will choose the WAP Tenant Extension:

Choose the existing databasee:

And choose the certificate that you imported:

Install the last feature:

Now go on you SQL instance that hosts the Microsoft.MgmtSvc.Store database (WAP DB) and execute the following request to create a new user and to associate it with the database. You can change the username/password:

Now, we need to update the connection string of the plugin with the good SQL server name. Go on the server that hosts the CMP extension and open as administrator the Web.config file in the folder C:\inetpub\MgmtSvc-CmpWapExtension. Replace the connection string MicrosoftMgmtSvcStoreContext by the following, adapting with your values:

Modify the 2 string before by adding after the database, ;MultipleActiveResultSets=True”

Do the previous 2 steps on each CMP server. Now, associate the certificate that you used during the installation of the plugin in IIS, on each server:

Execute the iisreset on each server to apply modifications. On a server, we will execute the script that will register this new Resource Provider. Go in C:\inetpub\MgmtSvc-CmpWapExtension and execute the script Register-ResourceProvider.ps1. You need to provide the name of the server that hosts the Admin extension and the Tenant extension:

We will now add the plugin to a plan. You will need the following information (all of these information are available through the output of th previous script):

The subscription number of your Azure (subscriptionId)

The number of your Azure AD (tenantId)

The key that you provide during the creation of the custom application (appKey)

The client id number (App ID)

From the administration portal, add the CMP service to a plan:

You will be able to see this, when adding an account:

Provide information that you get before:

Click on the button Add Subscription. If all is right, you will have a green success message:

Add the subscription to a plan by clicking on Add Selected Subscription To Plan:

Choose which image and size that will be available for this plan and click on Save:

In the client portal, you can deploy a VM on Azure:

And the detail:

This new plugin is very interesting to have the possibility to deploy quickly a VM on Azure, but some features are missing, like the possibility to deploy a VM on an Europe datacenter, a Linux VM, etc…

Et voilà, from April 1st 2016, Microsoft elected me Microsoft MVP in the Cloud and Datacenter Management category

Microsoft gives me this title for my different activities within the Microsoft community.

I want to thank people that helped and supported me, Romain, JS, Benoit, Christophe, etc (sorry to those that I was not able to mention, but the list is too long ) and you, readers. But the one I thank the most is undoubtedly my wife, Alexandra, who supports me when I work evenings / weekends to bring you new content.

When you are connected, you can get the list of Resource Providers that are available with the following command:

Get-AzureRmResourceProvider | FT ProviderNameSpace,ResourceTypes

That I want here is pretty easy. The user/group that will be in the role that I will create will be able to create/delete network cards and read/join network security group as well as virtual network. I will use the Resource Provider Microsoft.Network to do this. To have the list of all available operations, use the following command:

The first 3 bullets concerned the fact the create/read/delete network card, the 4th and 5th concerned the fact to read NSG and join them and, finally, the last 3 bullets are to read virtual networks, subnets and to get an IP in the pool.

To store network cards, the user need to have the right to write in the Resource Group, and so, to read it. You will add the following 2 lines: